mirror of
https://github.com/kremalicious/umami.git
synced 2024-12-24 18:26:20 +01:00
Added content security policy.
This commit is contained in:
parent
2b7da339e2
commit
adb069babc
@ -33,14 +33,6 @@ function customScriptName(req) {
|
||||
}
|
||||
}
|
||||
|
||||
function forceSSL(req, res) {
|
||||
if (process.env.FORCE_SSL && req.nextUrl.protocol === 'http:') {
|
||||
res.headers.set('Strict-Transport-Security', 'max-age=31536000; includeSubDomains');
|
||||
}
|
||||
|
||||
return res;
|
||||
}
|
||||
|
||||
export default function middleware(req) {
|
||||
const fns = [customCollectEndpoint, customScriptName];
|
||||
|
||||
@ -51,5 +43,5 @@ export default function middleware(req) {
|
||||
}
|
||||
}
|
||||
|
||||
return forceSSL(req, NextResponse.next());
|
||||
return NextResponse.next();
|
||||
}
|
||||
|
@ -1,6 +1,37 @@
|
||||
require('dotenv').config();
|
||||
const pkg = require('./package.json');
|
||||
|
||||
const contentSecurityPolicy = `
|
||||
default-src 'self';
|
||||
img-src *;
|
||||
script-src 'self' 'unsafe-eval';
|
||||
style-src 'self' 'unsafe-inline';
|
||||
connect-src 'self' api.umami.is;
|
||||
frame-ancestors 'self';
|
||||
`;
|
||||
|
||||
const headers = [
|
||||
{
|
||||
key: 'X-DNS-Prefetch-Control',
|
||||
value: 'on',
|
||||
},
|
||||
{
|
||||
key: 'X-Frame-Options',
|
||||
value: 'SAMEORIGIN',
|
||||
},
|
||||
{
|
||||
key: 'Content-Security-Policy',
|
||||
value: contentSecurityPolicy.replace(/\s{2,}/g, ' ').trim(),
|
||||
},
|
||||
];
|
||||
|
||||
if (process.env.FORCE_SSL) {
|
||||
headers.push({
|
||||
key: 'Strict-Transport-Security',
|
||||
value: 'max-age=63072000; includeSubDomains; preload',
|
||||
});
|
||||
}
|
||||
|
||||
module.exports = {
|
||||
env: {
|
||||
currentVersion: pkg.version,
|
||||
@ -24,6 +55,10 @@ module.exports = {
|
||||
},
|
||||
async headers() {
|
||||
return [
|
||||
{
|
||||
source: '/:path*',
|
||||
headers,
|
||||
},
|
||||
{
|
||||
source: `/(.*\\.js)`,
|
||||
headers: [
|
||||
|
Loading…
Reference in New Issue
Block a user